Strong Parallel Repetition for a Monogamy-of-Entanglement Game 
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We consider a game in which two players collaborate to prepare a quantum system and 
are then asked to independently guess the outcome of a measurement in a random basis on 
that system. Intuitively, by the monogamy of entanglement, the probability that both players 
simultaneously succeed in guessing the outcome correctly is bounded. 

We are interested in the question of how the success probability scales when this guessing 
game is repeated in parallel. We show a perfect parallel repetition theorem for this game, that 
is, we show that any strategy that maximizes the probability to win every round individually 
(N. is also optimal for the parallel repetition of the game. In particular, our result implies that 

the optimal guessing probability can be achieved without the use of entanglement. 

We explore several applications of this result. First, we show that it implies security for 
standard BB84 quantum key distribution when one party uses fully untrusted measurement 
O ■ devices. Second, we show that our result can be used to prove security of a one-round 

| position-verification scheme. Finally, our techniques can be used to generalize a well-known 

■ uncertainty relation for the guessing probability to quantum side information. 

CL; I. INTRODUCTION 

+!> 

Apart from their obvious entertainment value, games among multiple (competing) players of- 
ten provide an intuitive way to understand complex problems. For example, we may understand 
Bell inequalities in physics [2], or interactive proofs in computer science [3], as a game played 
by a referee against multiple provers [11, 16]. Here we investigate a simple quantum multiplayer 
game whose analysis enables us to tackle several open questions in quantum cryptography. 

OV 

(T) ■ A. Monogamy Game 

; 

We consider a game played among three parties: Alice, Bob and Charlie. In this game, Alice 
takes the role of a referee and is assumed to be honest whereas Bob and Charlie form a team 
determined to beat Alice. A monogamy-of-entanglement game G consists of a list of projective 
measurements, M? = {F®} X £X, indexed by 9 £ G, on a (i-dimensional quantum system. 
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Preparation Phase: Bob and Charlie agree on a strategy and prepare an arbitrary quantum 
state pABCi where pa has dimension d. They pass pa to Alice and hold on to ps and pc, 
respectively. After this phase, Bob and Charlie are no longer allowed to communicate. 
Question Phase: Alice chooses G 6 uniformly at random and measures pa using M. to 

obtain the measurement outcome, x £ X . She then announces 9 to Bob and Charlie. 
Answer Phase: Bob and Charlie independently form a guess of x by performing a measurement 

(which may depend on 9) on their respective shares of the quantum state. 
Winning Condition: The game is won if both Bob and Charlie guess x correctly. 

From the perspective of classical information processing, our game may appear somewhat 
trivial — after all, if Bob and Charlie were to provide some classical information k to Alice who 
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would merely apply a random function fg, they could predict the value of x = fg(k) perfectly 
from k and 9. In quantum mechanics, however, the well-known uncertainty principle [18] places 
a limit on how well observers can predict the outcome x of incompatible measurements. 

To exemplify this, we will in the following focus on the game G BB84 m which Alice measures a 
qubit in one of the two BB84 bases [4] to obtain a bit x G {0, 1} and use p w in(G BB84 ) to denote the 
probability that Bob and Charlie win, maximized over all strategies. (A strategy is comprised 
of a tripartite state pabc, an d, for each 6 G 0, a measurement on B and a measurement on 
C.) Then, if Bob and Charlie are restricted to classical memory (i.e., they are not entangled 
with Alice), it is easy to see that they win the game with an (average) probability of at most 
1/2 + 1/(2^2) < 

.Pwii+* J BB84 / )- 

In a fully quantum world, however, uncertainty is not quite the end of the story as indeed 
Bob and Charlie are allowed to have a quantum memory. To illustrate the power of such a 
memory, consider the same game played just between Alice and Bob. As Einstein, Podolsky 
and Rosen famously observed [14]: If pab is a maximally entangled state, then once Bob learns 
Alice's choice of measurement 8, he can perform an adequate measurement on his share of the 
state to obtain x himself. That is, there exists a strategy for Bob to guess x perfectly. Does this 
change when we add the extra player, Charlie? We can certainly be hopeful as it turns out that 
quantum entanglement is "monogamous" [44] in the sense that the more entangled Bob is with 
Alice, the less entangled Charlie can be. In the extreme case where pab is maximally entangled, 
even if Bob can guess x perfectly every time, Charlie has to resort to making an uninformed 
random guess. As both of them have to be correct in order to win the game, this strategy turns 
out to be worse than optimal. 

An analysis of this game thus requires a tightrope walk between uncertainty on the one hand, 
and the monogamy of entanglement on the other. The following result is a special case of our 
main result (which we explain further down); a slightly weaker bound had been derived in [9], 
and the exact value had first been proven by Christandl and Schuch [10]. 2 

• Result (informal): We find p w in(G BB84 ) = 1/2 + l/(2\/2) ~ 0.85. Moreover, this value 
can be achieved when Bob and Charlie have a classical memory only. 

Interestingly, we thus see that monogamy of entanglement wins out entirely, cancelling the 
power of Bob and Charlie's quantum memory - the optimal winning probability can be achieved 
without any entanglement at all. In fact, this strategy results in a higher success probability 
than the one in which Bob is maximally entangled with Alice and Charlie is classical. In such a 
case the winning probability can be shown to be at most 1/2. In spirit, this result is similar to 
(but not implied by) recent results obtained in the study of non-local games where the addition 
of one or more extra parties cancels the advantage coming from the use of entanglement [23] . 

To employ the monogamy game for quantum cryptographic purposes, we need to understand 
what happens if we play the same game G n times in parallel. The resulting game, G xn , requires 
both Bob and Charlie to guess the entire string of measurement outcomes, where 

Xj, j G [n], is generated by measuring pj^ {pAj is the quantum state provided by Bob and 
Charlie in the j-th round of the game) in the basis A4 Sj , and 8j G is chosen uniformly at 
random. Strategies for Bob and Charlie are then determined by the state PAi...A„BC (with each 
Aj being d-dimensional) as well as independent measurements on B and C that produce a guess 
of the string x, for each value of 9 = 9\ . . . 9 n G 0™. 

Returning to our example, Bob and Charlie could repeat the strategy that is optimal for 
a single round n times to achieve a winning probability of £> w j n (G BB84 ) n = (1/2 + 1/(2^2)" < 
J>win(G BB84 ), but is this really the best they can do? Even classically, analyzing the n-fold parallel 



1 For example, this follows from a proof of an entropic uncertainty relation by Deutsch [13]. 

2 However, neither the techniques from [9] nor from [10] work for parallel repetitions. 
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repetition of games or tasks is typically challenging. Examples include the parallel repetition of 
interactive proof systems (see e.g. [20, 38]) or the analysis of communication complexity tasks 
(see e.g. [28]). In a quantum world, such an analysis is often exacerbated further by the presence 
of entanglement and the fact that quantum information cannot generally be copied. Famous 
examples include the analysis of the "parallel repetition" of channels in quantum information 
theory (where the problem is referred to as the additivity of capacities) (see e.g. [17, 43]), 
entangled non-local games [24], or the question whether an eavesdropper's optimal strategy in 
quantum key distribution (QKD) is to perform the optimal strategy for each round. Fortunately, 
it turns out that strong parallel repetition does hold for our monogamy game. 

• Main Result (informal): We find j> w in(G*£ 84 ) = (1/2 + 1/(2^/2))™. More generally, 
for all monogamy-of-entanglement games using incompatible measurements, we find that 
Pwin(G xn ) decreases exponentially in n. This also holds in the approximate case where 
Bob and Charlie are allowed to make a small fraction of errors. 

Our proofs are thereby appealing in their simplicity and use only tools from linear algebra, 
inspired by techniques proposed by Kittaneh [27]. Note that, in the more general case, we obtain 
a parallel repetition theorem, albeit not strong parallel repetition. 

B. Applications 

Quantum Key Distribution 

The first application of our results is to the security of QKD, which allows honest Alice 
and Bob to establish a secure key [36, 42] in the presence of an eavesdropper, Eve [4, 15, 48]. 
In the entanglement-based setting, Eve supplies an arbitrary state pabe, where Alice obtains 
PA and Bob obtains ps- Alice and Bob then create raw keys by measuring their respective 
shares of the state. By comparing a random sample of their measurement results, they can 
check if the correlations are strong enough to allow the extraction of a secure key; if not, they 
will simply abort the protocol. Usually, security proofs for QKD make more or less stringent 
assumptions about the measurement devices used by Alice and Bob to create their respective 
raw keys. These theoretical assumptions are not necessarily satisfied by real-world devices, 
leaving the implementations of the protocol open to hacking attacks [32]. The notion of device 
independence [37] aims to extend security to a regime where the measurement devices of Alice 
and/or Bob are untrusted. 

Here, we consider a security analysis that is based on the uncertainty principle of quantum 
mechanics. This approach inherently assumes that the incompatibility of Alice's measurements 
is known. That is, it considers a setting of one-sided device independence in which only Bob's 
measurement device is untrusted. To see the link to the monogamy game consider the BB84 
protocol [4] in which Alice measures n qubits independently at random in the BB84 bases. 
Alice's measurement outcome x € {0, 1}™ forms the raw key which Alice and Bob will test for 
errors and then hash to obtain the final key. The key to security is the impossibility of both 
Bob and Eve producing an accurate guess for x. In particular, we expect that whenever Bob 
can guess x sufficiently well to pass the correlation test, then the probability that Eve guesses 
x correctly is strictly limited. In this case, Alice and Bob can obtain a secure key from x using 
privacy amplification [39]. We may thus imagine that Eve takes on the role of Charlie and Bob 
in the monogamy game: Eve supplies pA 1 ...A n BC an d dictates the measurement performed by 
Bob in order to maximize the probability that both herself and Bob produce a good guess for x 
without further communication. However, our main result implies that the probability for this 
to succeed drops exponentially in n. 
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• Application to QKD (informal): We show that the BB84 QKD scheme is secure in 
the setting of fully one-sided device independence and provide a complete security analysis 
for finite key lengths. 

We emphasize that our analysis allows for fully one-sided device independence in the sense 
that no assumptions are made on the initial state or the measurements performed by Bob, 
except that there is no communication allowed between Bob and Eve after the state has been 
distributed. (Earlier work by one of us [46] sketches a security analysis for the above setup; 
however, a close inspection of the arguments presented reveals that they are insufficient unless 
additional (weak) assumptions about Bob's device are made.) 



Position Verification 

Our second application is to the task of position verification. Here, we consider a 1- 
dimensional setting where a prover wants to convince two verifiers that he controls a certain 
position, pos. The verifiers are located at known positions around pos, honest, and connected by 
secure communication channels. Moreover, all parties are assumed to have synchronized clocks, 
and the message delivery time between any two parties is assumed to be proportional to the 
distance between them. Finally, all local computations are assumed to be instantaneous. 

Position verification and variants thereof (like distance bounding) is a rather well-studied 
problem in the field of wireless security (see e.g. [9]). It was shown in [9] that in the presence 
of colluding adversaries at different locations, position verification is impossible classically, even 
with computational hardness assumptions. That is, the prover can always trick the verifiers into 
believing that he controls a position. The fact that the classical attack requires the adversary 
to copy information, initially gave hope that we may circumvent the impossibility result using 
quantum communication [8, 25, 26, 34, 35]. However, such schemes were subsequently broken [31] 
and indeed a general impossibility proof holds [7]: without any restriction on the adversaries, 
in particular on the amount of pre-shared entanglement they may hold, no quantum scheme 
for position verification can be secure. This impossibility proof was constructive but required 
the dishonest parties to share a number of EPR pairs that grows doubly-exponentially in the 
number of qubits the honest parties exchange. Using port-based teleportation, as introduced by 
Ishizaka and Hiroshima [21, 22], this was reduced by Beigi and Konig [1] to a single exponential 
amount. On the other hand, there are schemes for position verification that are provably secure 
against adversaries that have no pre-shared entanglement, or only hold a couple of entangled 
qubits [1, 7, 8, 31]. 

However, all known schemes that are provably secure with a negligible soundness error (the 
maximal probability that a coalition of adversaries can pass the position verification test for 
position pos without actually controlling that specific position) against adversaries with no or 
with bounded pre-shared entanglement are either multi-round schemes, or require the honest 
participants to manipulate large quantum states. 

• Application to Position Verification (informal): We present the first provably secure 
one-round position verification scheme with negligible soundness error in which the honest 
parties are only required to perform single qubit operations. We prove its security against 
adversaries with an amount of pre-shared entanglement that is linear in the number of 
qubits transmitted by the honest parties. 
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Entropic Uncertainty Relation 

The final application of our monogamy game is to entropic uncertainty relations with quantum 
side information [6]. Our result is in the spirit of [12, 46] which shows an uncertainty relation 
for a tripartite state pabc f° r measurements on A, trading off the uncertainty between the two 
observers B and C as in our monogamy game. 

• Application to Entropic Uncertainty Relations (informal): For any two general 
(POVM) measurements, {N°} x and {N*} x , we find 



H min {X\BO) p + H min {X\CO) p > -2 log where c = max 
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The entropies are evaluated for the post-measurement state pxBC&i with X the outcome 
of the measurement {N®} x , where O S {0, 1} is chosen uniformly at random. 



C. Outline 

The remainder of this manuscript is structured as follows. In Section II, we introduce the basic 
terminology and notation used throughout this work. In Section III, we discuss the monogamy 
game and prove a strong parallel repetition theorem. Here, we also generalize the game to 
include the case where Bob and Charlie are allowed to have some errors in their guess and show 
an upper bound on the winning probability for the generalized game. Sections IV, V and VI 
then apply these results to prove security for one-sided device independent QKD, a one-round 
position verification scheme and an entropic uncertainty relation. 



II. TECHNICAL PRELIMINARIES 
A. Basic Notation and Terminology 

Let !K be an arbitrary, finite dimensional Hilbert space. £(!K) and V(^K) denote linear and 
positive semi- definite operators on 5C, respectively. The set of density operators on !K, i.e., the 
set of operators in V{Ji) with unit trace, is denoted by <S(IK). For A, B £ £(IK), we write A > B 
to express that A — B& P(9i). When operators are compared with scalars, we implicitly assume 
that the scalars are multiplied by the identity operator, which we denote by ljf, or 1 if "K is 
clear from the context. A projector is a positive semi-definite operator P 6 V{'K) that satisfies 
P 2 = P. A POVM (short for positive operator valued measure) is a set {N x } x of operators 
N x S V{'K) such that N x = 1. Moreover, a POVM is called projective if all elements N x are 
projectors. We use the trace distance 

A(p, a) := rnax tx(E(p — a)) = — tr|p — a\, where \L\ = VL^L, 

as a metric on density operators p,o~ £ <S(IK). 

The most prominent example of a Hilbert space is the qubit, IK = C 2 . The vectors |0) and 
1 1) form its rectilinear (or computational) basis, and the vectors H\0) = (|0) + \ l})/^/2 and 
H\ 1) = (|0) — 1 1))/\/2 form its diagonal (or Hadamard) basis, where H denotes the Hadamard 
matrix. More generally, we often consider systems composed of n qubits, JC = C 2 ®- • -<g>C 2 . For 
x, 9 G {0, l} n , we write \ x e ) as a shorthand for the state vector H 9l \x\) • • • <g> H n \x n ) £ !H. 
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B. The Schatten oo-Norm 



For L G C(JK), we use the Schatten oo-norm ||L|| := ||L||oc = s i(-^)> which evaluates the 
largest singular value of L. In particular, if L is Hermitian (L = L^), this is the largest eigenvalue 
of L. It is easy to verify that this norm satisfies ||L|| 2 = L\\ = \\LlJ\\. Moreover, for 
A, B G VCJi), A < B implies \\A\\ < \\B\\. Finally, for block-diagonal operators we have 
||A©J3|| =max{p||,||S||}. 

We need the following fact about the norm of projected operators. Note that this lemma 
does not hold if the projectors are replaced by general positive semi-definite operators. 

Lemma 1. Let P,Q G V{'K) be projectors and P < Q, and let L G C{"K). Then, it holds that 
\\PL\\ < \\QL\\ and \\LP\\ < \\LQ\\. 

Proof. We show the first statement, and the proof of the second statement follows analogously. 
We find ||PL|| 2 = \\L^P 2 L\\ = \\tfPL\\ < \\^QL\\ = \\ L ^Q 2L m = \\QL\\ 2 - □ 

In particular, applying the lemma twice, we find that ||PQ|| 2 = ||P(5-P|| < H-P'Q'-P'H for any 
two pairs of projectors satisfying P < P' and Q < Q' . 

One of our main tools is the following Lemma 2, which bounds the Schatten norm of the 
sum of n positive semi-definite operators by means of their pairwise products. We derive the 
bound using a construction due to Kittaneh [27], which was also used by SchafFner [41] to derive 
a similar, but less general, result. 

We call two permutations vr : [N] -)■ [N] and vr' : [N] -> [N] of the set [N] := {1,...,N} 
orthogonal if ^ f° r ah i £ [N]. There always exists a set of N permutations of [N] 

that are mutually orthogonal (for instance the N cyclic shifts). 

Lemma 2. Let A\, A2, ■ ■ ■ , An G T > {'K), and let {^ k }k£[N] be a set of N mutually orthogonal 
permutations of [N] . Then, 



ie[N] 



< 



E 

ke[N] 



max 



(1) 



Proof. We define X = [X{j] as the N x N block-matrix with blocks given by Xj,- = 8j\y/A~i. 
Then, the matrices X'X and XX^ are easy to evaluate, namely, (X^X)ij = SuSji A4, as 
well as XX* and = y/Ai^/A~. We have 



£4 

ie[N] 

Next, we decompose XX^ = D\ + D2 + 
permutations 7r fc , respectively, as (-Dfe)ij = 



\X j X\\ = \\XX ] \ 



-Dat, where the matrices are defined by the 



CAiWAj. Note that the requirement that 



the permutations are mutually orthogonal ensures that XXt = Y,k D k- Moreover, since the 
matrices are constructed such that they contain exactly one non-zero block in each row and 
column, they can be transformed into a block-diagonal matrix 



i£[N] 



by a unitary rotation. Hence, using the triangle inequality and unitary invariance of the norm, 
we get || Yjk Ak\\ < Yk \\ D A\ = Sfe ll^fell' wmcn implies (1) since || i Lj|| = max; □ 



A special case of the above lemma states that |^4x + A-i | < max {||^i||) 1 1 ^-2 1 
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C. CQ-States, and Min-Entropy 



A state pxB £ Si^Kx ® Kb) is called a classical- quantum (CQ) state with classical X over 
Af, if it is of the form pxB = YlxeX Px\ x )( x \x ® P^' wnere {|x)} a;6 ^' is a fixed basis of "Kx, 
{Px}xeX is a probability distribution, and G 5 (1Kb)- For such a state, X can be understood 
as a random variable that is correlated with (potentially quantum) side information B. 

If A : X — > {0, 1} is a predicate on X, then we denote by Pr p [A(AT)] the probability of the 
event X(X) under p; formally, Pr (0 [A(-X")] = ^2 x p x A (a;). We also define the state Pxb\\(X)j which 
is the state of the X and B conditioned on the event A (AT). Formally, 



For a CQ-state pxB 6 S{"Kx <8> K#), the min- entropy of AT conditioned on S [39] can be 
expressed in terms of the maximum probability that a measurement on 5 yields the correct 
value of X, i.e. the guessing probability. Formally, we define [29] 



Here, the optimization is taken over all POVMs {N x } x on B, and here and throughout this 
paper, log denotes the binary logarithm. 

In case of a CQ-state pxBQ with classical X, and with additional classical side information 
0, we can write pxBe = ^2gPe ® Pxb- ^he min-entropy of X conditioned on B and 
then evaluates to 



H min (X\BQ) p = -log p guess (X\B@) p , where p guess (X\B@) p = p gU ess(X\B) p e . (2) 



An intuitive explanation of the latter equality is that the optimal strategy to guess X simply 
chooses an optimal POVM on B depending on the value of 0. 

The min-entropy also satisfies a data-processing inequality which formalizes the intuition 
that removing part of the quantum memory generally makes guessing harder. Namely, we have 
H m _\ n {X\BC) p < H m i n (X\B) p for all states pxbc- An overview of the min-entropy and its 
properties can be found in [45]. 



In this section, we investigate and show strong parallel repetition for the game G B bs4- Then, 
we generalize our analysis to allow arbitrary projective measurements for Alice and consider the 
situation where Bob and Charlie are allowed to make some errors. But to start with, we need 
some formal definitions. 

Definition 1. A monogamy-of-entanglement game G consists of a finite dimensional Hilbert 
space 'Ka an d a list of projective measurements Ai d = {F®} x& x on a K^, indexed by 9 G 0, 
where X and are finite sets. 

We sometimes use less bulky terminology and simply call G a monogamy game. Note that for 
any positive integer n, the n-fold parallel repetition of G, denoted as G xn and naturally specified 
by CK® n and {F x ^ • • • <g> i ? J , ™}xi,...,x„ for 9\, . . . , 9 n G 0, is again a monogamy game. 




Hmin(X\B) p : 




e 



III. PARALLEL REPETITION OF MONOGAMY GAMES 
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Definition 2. We define a strategy S for a monogamy- of- entanglement game G as a list 

S = { PABC ,P d x ,Q e x ], (3) 

where P abc £ S('Ka®'Kb®'Kc)> and Kb andKc are arbitrary finite dimensional Hilbert spaces. 
Furthermore, for all 9 6 8, {P x } x ^x an d {Q x }xex are POVMs on Kb o,nd Kc, respectively. 
A strategy is called pure if the state P abc * s pure and all the POVMs are projective. 

If S is a strategy for game G, then the n-fold parallel repetition of S, which is naturally given, 
is a particular strategy for the parallel repetition G xn ; however, it is important to realize that 
there exist strategies for G xn that are not of this form. In general, a strategy S n for G xn is 
given by an arbitrary state P Ai...A n BC £ 5(!K^ n (g) Kb ® ^c) (with arbitrary "Kb and Kc) and 
by arbitrary POVM elements on "Kb and Kq, respectively, not necessarily in product form. 

The winning probability for a game G and a fixed strategy S, denoted by p w ; n (G, S), is defined 
as the probability that the measurement outcomes of Alice, Bob and Charlie agree when Alice 
measures in the basis determined by a randlomly chosen 8 G and Bob and Charlie apply their 
respective POVMs {P x } x an d {Q x }x- The optimal winning probability, p w i n (G), maximizes the 
winning probability over all strategies. The following makes this formal. 

Definition 3. The winning probability for a monogamy game G and a strategy S is defined as 

p win (G, S) := j^T tr {Tl e p A Bc) , where if := F 6 X ® P e x ® Q x . (4) 
6»ee ' ' x&x 

The optimal winning probability is 

Pwin(G) := sup p win (G,S), (5) 
s 

where the supremum is taken over all strategies S for G. 

In fact, due to a standard purification argument and Neumark's dilation theorem, we can 
restrict the supremum to pure strategies (cf. Lemma 9 in Appendix A). 



A. Strong Parallel Repetition for G B B84 

We are particularly interested in the game G B bs4 an d its parallel repetition Ggg g4 . The latter is 
given by K A = (C 2 ) m and the projectors F e x = \x e ){x e \ = H 9l \xi)(xi\H dl ®- ■ ■®H 6n \x n }(x n \H en 
for 6,x G {0, l} n . The following is our main result. 

Theorem 3 (Strong Parallel Repetition). For any n G N, n > 1, we have 

Pwin(G££J= Q + ^f) n - (6) 

Proof. We first show that this guessing probability can be achieved. For n = 1, consider the 
following strategy. Bob and Charlie prepare the state \ <j)) := cos^|0) +sin^|l) and send it to 
Alice. Then, they guess that Alice measures outcome 0, independent of 6. Formally, this is the 
strategy S± = {\<ft)((j)\, P x = 5 x q,Q x = <5 x o}- The optimal winning probability is thus bounded 
by the winning probability of this strategy, 

/ 7T\ 2 1 
Pwin(G BB 84) > COS - = - + 



2 2^2 



9 



and the lower bound in Eq. (6) follows by repeating this simple strategy n times. 

To show that this simple strategy is optimal, let us now fix an arbitrary, pure strategy 
$n — {pA 1 ...A n BC, Px >Qx}- From the definition of the norm, we have tr(M Pabc) < 11-^11 f° r 
any M > 0. Using this and Lemma 2, we find 

Pwin (G B x B " 84 ,5 n .) = ^ltr(nV...A„Bc) < ^|E n 1 ^ max||n 9 n- fc w||, (7) 

e e k 

where the optimal permutations ir k are to be determined later. Hence, the problem is reduced 
to bounding the norms ||nW||, where 9' = ir k {9). The trivial upper bound on these norms, 1, 
leads to Pwin(Ggg g4 , S n ) < 1. However, most of these norms are actually very small as we see 
below. 

For fixed 6 and k, we denote by T the set of indices where 9 and 9' differ, by T c its complement, 
and by t the Hamming distance between 9 and 9' (hence, t = |7~|). We consider the projectors 

P = ^2\x 9 T }(x e T \®l r c® P° ®1 C and Q = J2\ x t)( x T I ® l T- ® 1b ® Q% , 

X X 

where \xj-) is \x e ) restricted to the systems corresponding to rounds with index in 7~, and lq-c 
is the identity on the remaining systems. 

Since ir e < P and vr e ' < Q, we can bound ||7r 6, 7r 6K || < ||-P(5-P|| using Lemma 1. Moreover, it 
turns out that the operator PQP has a particularly simple form, namely 

pqp=Y j \ A-tA l vWt l AtA I ® ir* ® pIpI ® Qy 

x,y,z 

= Y.\( x T\yT)\ 2 \A)(A\®^®p°®Q e y ' 

= 2~* Yl \ x t)( x t\ ® l T- ® Px ® lc, 

x 

where we used that P®P® = S XZ P^ and \{x^-\yj-)\ 2 = 2~ t . The latter relation follows from the 
fact that the two bases are diagonal to each other on each qubit with index in T ■ From this 
follows directly that ||PQP|| = 2 _ *. Hence, we find 1 1 vr 6 * vr 6 *' 1 1 < V2 Note that this bound is 
independent of the strategy and only depends on the Hamming distance between 9 and 9'. 

To minimize the upper bound in (7), we should choose permutations ir k that produce tuples 
{9,9' = ir k (9)) with the same Hamming distance as this means that the maximization is over a 
uniform set of elements. A complete mutually orthogonal set of permutations with this property 
is given by the bitwise XOR, ir k (9) = 9(B k, where we interpret k as an element of {0, l} n . Using 
this construction, we get exactly (?) permutations that create pairs with Hamming distance t, 
and the bound in Eq. (7) evaluates to 

k t — 

Since this bound applies to all pure strategies, Lemma 9 concludes the proof. □ 

B. Arbitrary Games, and Imperfect Guessing 

The above upper-bound techniques can be generalized to an arbitrary monogamy game, G, 
specified by an arbitrary finite dimensional Hilbert space "Ka an d arbitrary projective measure- 
ments {F®} X £X, indexed by 9 € O, and with arbitrary finite X and G. The only additional 
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parameter relevant for the analysis is the maximal overlap of the measurements, 

2 



c(G) := max max 

9,e'ee x,x'eX 

9^9' 



F° F° 

x X x x' 



which satisfies 1/\X\ < c(G) < 1 and c(G xn ) = c(G) n . This is in accordance with the definition 
of the overlap as it appears in entropic uncertainty relations, e.g. in [30]. Note also that in the 
case of G BB 84, we have c(G BB 84) = \- 

In addition to considering arbitrary monogamy games, we also generalize Theorem 3 to the 
case where Bob and Charlie are not required to guess the outcomes perfectly but are allowed to 
make some errors. The maximal winning probability in this case is defined as follows, where we 
employ an argument analogous to Lemma 9 in order to restrict to pure strategies. 

Definition 4. Let Q = {(vr^, vr^,)}^ be a set of pairs of permutations of X , indexed by q, with 
the meaning that in order to win, Bob and Charlie 's respective guesses for x must form a pair 
in {(7r^(x), 7rp(x))} g . Then, the optimal winning probability of G with respect to Q is 

■ (G; Q) := sup £ ^tr(lTW) with U e := £ *2 ® E P 4(*) ® Q k(*)> 



xex 



where the supremum is taken over all pure strategies S for G. 

We find the following upper bound on the guessing probability, generalizing the upper bound 
on the optimal winning probability established in Theorem 3. 

Theorem 4. For any positive n £ N, we have 

Pwin(G xn ;Q)<|Q|f-^ + ^ 



lei 



ei 



V^G) 



Recall that in case of G BBg4 , we have \Q\ = 1, |0| = 1, and c(G BBg4 ) = \, leading to the 
bound stated in Theorem 3. 



Proof. We closely follow the proof of the upper bound in Theorem 3. For any pure strategy 
•S n = {PA 1 ...A n BC,PxiQx}i we bound 



Y_L tT m<>p Al A BC ) < -V|| V ni < j^—Y ymax||nX fcw ll. 



10 n v r^...~n^j - , @ 

where we introduce 11® := ( (££)™ =1 F { 3 



p o 

TT%(x) 



Q 6 ' q i v We now fix 6 and 9' and bound 
the norms ||IT?IT? II. Let T be the set of indices where 9 and 9' differ. We choose 



(8) 



9 1 



P = J2 ( 8> F °t® x t c ® p k(x) ® lc and ^ = E ® F 5 ® lr« ® 1 b ® Q e ^ n(x) 



V 1 1 2 



and again note that 1 1 n^XT^ || < ||PQP|| due to Lemma 1. We evaluate 



\PQP\ 



E ® F i i A F i ® ® pk(x) p k {z) ® 



x,y,z£eT 



liv) 



-a p° 



< c(G)*. 
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It remains to find suitable permutations ir k and substitute the above bound into (8). Again, 
we choose permutations with the property that the Hamming distance between 9 and 7r k (8) is 
the same for all 9 G O n . It is easy to ver ify that there are (™) (|0| - 1)* permutations for which 
the (^-independent) Hamming distance between 9 and ir k (9) is t. Hence, 

E |^tr(nV...^c) <||Le(") (lei - ifiV^Y = \Q\ + ^ VwJ , 

which concludes the proof. □ 

One particularly interesting example of the above theorem considers binary measurements, i.e. 
X = {0, 1}, where Alice will accept Bob's and Charlie's answers if and only if they get less than 
a certain fraction of bits wrong. More precisely, she accepts if d(x,y) < 711 and d(x, z) < 7' n, 
where d(-, ■) denotes the Hamming distance and y, z are Bob's and Charlie's guesses, respectively. 
In this case, we introduce the set Q™ / that contains all pairs of permutations (tt^, ttq) on {0, l} n 
of the form ir q B {x) = x® k, tt^,(x) = x(B k' , where q = {k, k'}, and k, k' G {0, l} n have Hamming 
weight at most 7 and 7', respectively. One can upper bound |Q™ /| < 2 nh ^ +nh<yl \ where h(-) 
denotes the binary entropy. We thus find 



1 + (|0|-1)V^(G) 



101 



Similarly, if we additionally require that Charlie guesses the same string as Bob, we analogously 
define the corresponding set Q™, with reduced cardinality, and 



2hM i+m^hmy . ( 9 ) 



IV. APPLICATION I 
ONE-SIDED DEVICE-INDEPENDENT QUANTUM KEY DISTRIBUTION 

For the following analysis, we assume some familiarity with concepts in quantum key dis- 
tribution (QKD) and security. In particular, we do not discuss the classical post-processing — 
information reconciliation and privacy amplification — which is required to extract a secret key. 
For simplicity, we consider an entanglement-based [15] variant of the BB84 QKD scheme [4], 
where Bob waits with performing the measurement until Alice tells him the right bases. This 
protocol is impractical because it requires Bob to store a quantum state. However, it is well 
known that security of this impractical version implies security of the original, more practical 
BB84 QKD scheme [5]. It is straightforward to verify that this implication also holds in the 
one-sided device-independent setting we consider here. 

The entanglement-based QKD scheme, E-QKD(n, t, s, £, 7), is described in Figure 1. It is 
parameterized by positive integers < t,s,£ < n and a real number < 7 < \. Here, n is 
the number of qubits exchanged between Alice and Bob, t is the size of the sample used for 
parameter estimation, s is the leakage (in bits) due to error correction, and i is the length (in 
bits) of the final key. Finally, 7 is the tolerated error in Bob's measurement results. 

A QKD protocol is called "perfectly secure if it either aborts and outputs an empty key, K = _L, 
or produces a key that is uniformly random and independent of the eavesdropper's (quantum 
and classical) information E + gathered during the execution of the protocol. Formally, the final 
state must be of the form 

Pke+ = Pr[A' / _L] • [i K <g> p E +\K^± + Pr[K = _L] • \±){±\k ® Pe+\k=±, 

n 1 ' n 
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The protocol E-QKD(n, t, s, i, 7) 

State Preparation: Alice prepares n EPR pairs, i.e., pairs of qubits in the maximally entangled state 
-75 (1 0) ® 1 0) + 1 1) ® 1 1» • Then, of each pair, she keeps one qubit and sends the other to Bob. 

Confirmation: Bob confirms receipt of the n qubits. (After this point, there cannot be any communi- 
cation between Bob's device and Eve.) 

Measurement: Alice chooses random € {0, 1}™ and sends it to Bob, and Alice and Bob measure the 
EPR pairs in basis to obtain X and Y, respectively. 

(Remember: Bob's device may produce Y in an arbitrary way, using a POVM chosen depending 
on acting on a state provided by the adversary.) 

Parameter Estimation: Alice chooses a random subset T C {1, . . . , n} of size t, and sends T and Xt 
to Bob. If the relative Hamming distance, a\ e \{XT, Yr), exceeds 7 then they abort the protocol 
and set K = JL. 

Error Correction: Alice sends a syndrome S(Xf) of length s and a random universal hash function 
F : {0, 1}™"* -> {0, l} 1 to Bob. 

Privacy Amplification: Alice computes K = F(Xt") and Bob K = F(Xt^), where Xt<> is the cor- 
rected version of 1t c ■ 

FIG. 1. An entanglement-based QKD scheme [15]. 

where px is a 2^-dimensional completely mixed state. We assume that the state |_L)(_L|# is 
orthogonal to px- 

Relaxing this condition, a protocol is called 5-secure if Pke+ is 5-close to the above form in 
trace distance, meaning that Pke+ satisfies 

Pi[K / _L] • A(p KE +\ K ^_ L , fi K ® Pe+\k?±) < 5 ■ (10) 

For example, a protocol that outputs K = _L except with probability 5 is trivially 5-secure. 

It is well known and has been proven in various ways that E-QKD is 5-secure (with small 5) 
with a suitable choice of parameters, assuming that all quantum operations are correctly per- 
formed by Alice and Bob. We now show that the protocol remains secure even if Bob's measure- 
ment device behaves arbitrarily and possibly maliciously. The only assumption is that Bob's 
device does not communicate with Eve after it received Alice's quantum signals. This restric- 
tion is clearly necessary as there would otherwise not be any asymmetry between Bob and Eve's 
information about Alice's key. Note that the scheme is well known to satisfy correctness and 
robustness; hence, we do not argue these here. 

Theorem 5. Consider an execution of E-QKD(n,t, s,£, 7), with an arbitrary measurement 
device for Bob. Then, for any e > 0, the protocol E-QKD is 5-secure with 

2 2^2 

Note that with an optimal error correcting code, the size of the syndrome for large n ap- 
proaches the Shannon limit s = 71/1(7). The security error S can then be made negligible in n 
with suitable choices of parameters if log(l//3 D ) > 2/1(7), which roughly requires that 7 < 0.015. 
Hence, the scheme can tolerate a noise level up to 1.5% asymptotically. 3 



3 This can be improved slightly by instead considering a six-state protocol, where the measurement is randomly 
chosen among three mutually unbiased bases on the qubit. 
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Proof. We prove security in the presence of an adversary, Eve (holding a quantum system E), 
who may arbitrarily manipulate the states sent from Alice to Bob in the first step of the protocol. 
For this purpose, let pqtabe — p<~> ® Pt ® \iPabe){'4>abe\ be the state before Alice and Bob 
perform the measurements on A and B, respectively. Here, the random variable contains 
the choice of basis for the measurement, whereas the random variable T contains the choice of 
subset on which the strings are compared. (Refer also to the protocol description in Fig. 1.) 
Moreover, let pqtxye be the state after Alice and Bob measured, where — for every possible 
value 9 — Alice's measurement is given by the projectors and Bob's measurement 

by an arbitrary but fixed POVM {P°} x . 

As a gedankenexperiment, we consider the scenario where Eve wants to guess the value of 
Alice's raw key, X. Eve wants to do this during the parameter estimation step of the protocol, 
exactly after Alice broadcast T but before she broadcasts Xt- For this purpose, we consider 
an arbitrary measurement strategy of the eavesdropper that aims to guess X. Such a strategy 
is given by -for every basis choice, 9, and every choice of sample, r — a POVM {Qx ,T }x- The 
values of 9 and r have been broadcast over a public channel, and are hence known to Eve at 
this point of the protocol. She will thus choose a POVM depending on these values to measure 
E and use the measurement outcome as her guess. 

For our gedankenexperiment, we will use the state, peTXYZ, which is the (purely classical) 
state that results after Eve applied her measurement on E. A Let e > be an arbitrary constant. 
By our results from Section III, it follows that for any choices of {P%}x an d {Qx T }x, we have 

Pr[d iel (X,Y)< 7 +e A Z = X] < p win (G^ M ,Q; +£fi ) < (3 n 

with f3 = 2 h ^ +e ^ ■ (3 , where <i re i denotes the relative Hamming distance. This uses the fact that 
Alice's measurement outcome is independent of T, and T can in fact be seen as part of Eve's 
system for the purpose of the guessing game. 
We now construct a state pqtxye as follows. 

PQTXYE = Pr[fi] • POTXYE\Q + (l ~ Pr[f2]) • O-QTXYE, 

where 0, denotes the event O = {d re \(X, Y) < d re \(XT, Yt) + £}> an d we take otqxye to be an 
arbitrary state with classical O, T, X and Y for which d re \(X, Y) = 1, and hence d re i(-Xr, Yt) = 1. 
Informally, the event f2 indicates that the relative Hamming distance of the sample strings Xt 
and Yt determined by T was representative of the relative Hamming distance between the whole 
strings, X and Y, and the state Pqtxye is so that this is satisfied with certainty. By construction 
of Pqtxye, we have A(p eT xYE, Pqtxye) < 1 - Pr p [fi], and by Hoeffding's inequality [19], 

1 - Pr[n] = Pr[d ml (X, Y) > d Icl (X T , Y T ) + e] < e~ 2eH . (11) 
p p 

Moreover, note that the event d re \(XT, Yt) < 7 implies d re \(X, Y) < -y + e under pqtxye- Thus, 
for every choice of strategy {Qx' T }x by the eavesdropper, the resulting state Pqtxyz, obtained 
by applying {Qx' T } x to E, satisfies 

Pr[d Tcl (XT,Y T )< 1 AZ = X}<Pv[d Tcl (X,Y)< 1 +eAZ = X] (12) 
p p 

< Pr[d Te i(X,Y)<i+eAZ = X] < p n . 
p 



4 For simplicity, we leave the dependency of pexYE and pexYZ on {P^}x and {Q e x ' T } x implicit. 
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We now introduce the event T = {d rc \{Xx, Yr) < 7}, which corresponds to the event that Bob 
does not abort the protocol. Expanding the left hand side of (12) to Prp[r] • Prp[Z = X|T] and 
observing that Prp[r] does not depend on the strategy {Qx ,T }x, we can conclude that either 

Pr[T] < f3 an or V '{Q 9 X ' T } X ■ Pr[Z = X\T] < ^~ a ) n , 
p p 

for any a G [0,1]. Hence, at least one of the two following conditions is satisfied: a) the 
probability that Bob does not abort the protocol is exponentially small, or b) Eve's guessing 
probability conditioned on the event that Bob does not abort is exponentially small, for any 
choice of POVM she could apply. 

We now consider the two cases separately. In case a), it is immediate that Pr p [r] < Prp[r] + 
^(pbtxye, Pqtxye) < fi an + e -2 ^ 2 * and the protocol is thus <5-secure for 5 > j3 an + e~ 2e2 *. In 
case b), we find that H m [ n (X\QTE, T)p > n(l — a) log(l//3) by definition of the min-entropy. 
(This notation means that the min-entropy of X given 0, T and E is evaluated for the state 
p~STXYE\r> conditioned on not aborting.) Hence, using the fact that s + t bits of additional 
information side information can only decrease the min-entropy by at most s + t [39] , we have 

H min (X\eTX T SE, T)p > H min (XX T S\eTE, T) p -t-a>n(l- a) log(l//3) -t-s. 

Here, the min-entropy is evaluated for the state pxQTX T SE that is constructed from pxQTE 
by calculating the error syndrome and copying Xt from X as done in the prescription of the 
protocol. In particular, A.(p~xoTX T SE, Pxstx t se) < e_2e *■ Finally, privacy amplification with 
universal hashing applied to the state Pxotx t se ensures that the key K satisfies [39] 

A(p KFeTXTSElr , H K <g> P F q TXt E\t) < \^ i - l ~ a)n y+ t+s . 
From Lemma 10 in Appendix B, it then follows that 

Pv[K + 1] • A( PKE+lK ^ ± , m ® p E+lK ^ ± ) < Ae- 2eH + i^S(i-«)»2«+n-'. 

Choosing a = ^ + (£ + t + s)/ (3n log(/3)) establishes that, for both cases a) and b), the protocol 
is 5-secure with 5 = 4e~ 2e * + ^/ /3 n 2 e + t+s - 2 . This concludes the proof. □ 

V. APPLICATION II: A ONE-ROUND POSITION- VERIFICATION SCHEME 

The scheme we consider is the parallel repetition of the simple single-qubit scheme that 
was analyzed in the setting of no pre-shared entanglement in [7]. The analysis shows that the 
soundness error of the one-round single-qubit scheme is bounded by roughly 89%, and it is 
suggested to repeat the scheme sequentially in order to reduce this soundness error. We now 
show that also the parallel repetition has an exponentially small soundness error. 5 Finally, we 
use a simple observation from [1] to argue that the scheme is also secure against adversaries with 
a linearly bounded amount of entanglement. 

The scheme, parameterized by a positive integer n, consists of the following steps. 

1. Vo and V\ agree on random x, 9 £ {0, l} n . Vo prepares a quantum system Q of n qubits in 
the state H e \x) = H 01 1 xi) (g) • • • <g) H e ™\x n ) E "K Q = (C 2 )® n and sends it to P. V\ sends 
to P, so that both arrive at P's claimed position pos at the same time. 



5 We stress that this was to be expected and does not come as a surprise. However, until now it was unclear 
how to prove it. 
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2. As soon as Q and 9 arrive, P measures the i-th qubit in basis {H e *\0), H 0i \ 1)} for i = 
1, ... ,n. Let x' G {0, l} n collect the observed bits. P sends x' to Vq and Vi. 

3. If Vq and Vi receive x' at the respective time consistent with pos, and if x' = x, then Vq 
and Vi accept; otherwise, they reject. 

It is straightforward to verify that this protocol is correct, meaning that the verifiers accept 
honest P at position pos with certainty (assuming a perfect setting with no noise, etc.). 

Proposition 6. The above position verification scheme is (^-\--^^) n -sound against adversaries 
(Eq,Ei) that hold no entangled state at the time they receive Q and 9, respectively. 

We stress that a restriction on the entanglement is necessary, as with unbounded entanglement 
the general impossibility result from [7] applies. In fact, for the specific scheme considered here, 
already n shared EPR-pairs are sufficient to break it, as shown in [26]. Below, we will extend 
the security of the scheme to a setting where the adversaries share at most an entangled qubits, 
for any constant a < 0.22. 

We also point out that our adversary model (with linearly bounded entanglement) is stronger 
than the one considered by Beigi and Konig [1] for their schemes: their model not only prohibits 
quantum communication between the adversaries before they obtain the initial messages from 
the verifiers (in order to prevent the exchange of entangled states), but also afterwards. Here, we 
allow full quantum communication between the adversaries after they have received the initial 
respective messages Q and 9. 

Proof (sketch). As the colluding dishonest parties Eq and E\ share no entanglement, the most 
general attack is of the following form, where we may assume Ei to be located between V{ and 
the position pos, for i G {0, 1}. Upon receiving the n-qubit system Q (in state H e \x)) from Vo, 
the adversary Eq applies an isometry "Kq — > "Kb^^c to Q in order to obtain a bipartite system 
B and C, and forwards C to E\. Adversary E\, upon receiving 9 from V\, simply forwards 9 to 
Eq.® Then, when Eq receives 9 from Ei, he measures B ( using an arbitrary measurement that 
may depend on 9) and sends the measurement outcome x' Q G {0, l} n to Vo, and, similarly, when 
E\ receives system C from Eq, he measures C and sends the measurement outcome x\ G {0, l} n 
to V\ . The probability e that Vo and V\ accept is then given by the probability that Xq — X — X ^ . 

From a standard purification argument it follows that the probability e does not change if in 
the first step of the protocol, instead of sending Q in state H 9 \ x), Vo prepares n EPR pairs, sends 
one half of each pair towards P and only at some later point in time measures the remaining n 
qubits in the basis {H e \ y)}j / e{o,i}« to obtain x G {0, l} n . 

Let us now consider the state \ipABc) G "Ka ® ^B <S) J^c consisting of system A with the n 
qubits that Vo kept, and the systems B and C obtained by applying the isometry to the qubits 
Eq received from Vo- Since the isometry is independent of 9 — Eq needs to decide on it before 
he finds out what 9 is — so is the state \ipABc)- It is clear that in order to pass the position 
verification test the adversaries must win a restricted version of the game Ggg g4 . 7 Therefore, the 
probability e that Xq — X — X-^ IS bounded by Pwin(Ggg g4 ). Our Theorem 3 thus concludes the 
proof. □ 

The security of the position verification scheme can be immediately extended to adversaries 
that hold a linear amount of shared entanglement. 

6 This is where the restriction of no entanglement comes into play. If the adversaries shared entanglement their 
most general strategy would be to perform some joint operation on the respective part of the entangled state 
and the data they have just received. The impossibility result states that in a scenario with an unlimited 
amount of entanglement no position verification scheme can be secure. 

7 The extra restriction comes from the fact that they have no access to the qubits kept by Vo and so the reduced 
state on those must be fully mixed. It turns out that this restriction does not affect the optimal winning 
probability. 
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Corollary 7. The above position verification scheme is d- + -^-^) n -sound against adversaries 
(Eq,Ei) that share an arbitrary (possibly entangled) state rjE Ei> suc h that dimr]E Ei = d, at the 
time they receive Q and 6, respectively. 

Thus, for any a strictly smaller than logC^ + ^/j)) f° r instance for a = 0.2, the position 
verification scheme has exponentially small soundness error (in n) against adversaries that hold 
at most an pre-shared entangled qubits. 

Corollary 7 is an immediate consequence of Proposition 6 above and of Lemma V.3 of [1]. 
The latter states that e-soundness with no entanglement implies (d ■ e)-soundness for adversaries 
that pre-share a (i-dimensional state. This follows immediately from the fact that the pre-shared 
state can be extended to a basis of the d-dimensional state space, and the uniform mixture of 
all these basis states gives a non-entangled state (namely the completely mixed state). As a 
consequence, applying the attack, which is based on the entangled state, to the setting with no 
entanglement, reduces the success probability by at most a factor of d. 

By the results on imperfect guessing (see Section IIIB), at the price of correspondingly 
weaker parameters, the above results extend to a noise-tolerant version of the scheme, where it 
is sufficient for x' to be close, rather than equal, to x for Vq and V\ to accept. 

VI. APPLICATION III 
ENTROPIC UNCERTAINTY RELATION WITH QUANTUM SIDE INFORMATION 

Let p be an arbitrary state of a qubit and G a uniformly random bit. Then, we may consider 
the min-entropy of X, where X is the outcome when p is measured in either one of two bases 
with overlap c, as determined by 0. For this example, it is known that [13, 41] 

iW*|e) p >-io g ^£. (13) 

A similar relation follows directly from results by Maassen and Uffink [33], namely 

H min (X\e) p + H max (X\e) p > - logc, (14) 

where, H max denotes the Renyi entropy [40] of order ^. 

Recently, entropic uncertainty relations have been generalized to the case where the party 
guessing X has access to quantum side information [6]. However, note that a party that is 
maximally entangled with the state of the system to be measured can always guess the outcome 
of X by applying an appropriate measurement (depending on O) on the entangled state. Thus, 
there cannot be any non-trivial state-independent bound on the entropies above conditioned 
on quantum side information. Nonetheless, if two disjoint quantum memories are considered, 
the following generalization of (14) was shown. For an arbitrary tripartite state pabc an d X 
measured on A as prescribed above, one finds [46] 

H min (X\Be) p + H mSLK (X\Ce) p > - logc. (15) 

In the following, we show a similar generalization of the uncertainty relation in (13) to quantum 
side information. 

Theorem 8. Let pabc be a quantum state and a uniformly random bit. Given two POVMs 
{F®} and {i 7 ^} with overlap c := max Xj2 1 1 \J \J F} 1 1 , we find 

p guess (X\BQ) p + Pguess (X\CQ) p < 1 + 
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and 



H min (X\B&) P + H min (X\CO) p > -2 log 



1 + xTc 



where the quantities are evaluated for the post-measurement state 
Pxbcb = 

Yl 9 \ x)(x\x®tr A ((F° ® Ibc)pabc) ®\6)(6 



(16) 



.r.e 



Proof. First, recall that the min-entropy is defined as (cf. Eq. (2)) 

2 -H m UX\Be) p = PgneUX \ Be)p = max^ w tr(p x /P°) = max \ £ tr {p AB {F e x ® P e x )) , 



where we used the fact that the post-measurement states given by (16) satisfy p x ,e Pbc = 
\^a{F^pabc)- 

In the following argument, we restrict ourselves to the case where the optimal guessing 
strategies for the min-entropy, {P®} for Bob and {Q x } for Charlie, are projective. To see that 
this is sufficient, note that we can always embed the state pxBC into a larger system pxB'C such 
that the optimal POVMs on B and C can be diluted into an equivalent projective measurement 
strategy on B' and C , respectively. The data-processing inequality of the min-entropy then tells 
us that H min (X\BQ) > H min (X\B'Q) and H min (X\CQ) > H min (X\C'@), i.e., it is sufficient to 
find a lower bound on the smaller quantities, for which the optimal strategy is projective. 

For an arbitrary state pabc anci optimal projective POVMs {P x } and {Q x }, we have 

2 -H min (X|Be) p + 2 -H rnin (X\CB) p = -J^tT^pABciF^ ® ® 1 C + ® 1 B ® Qx 

x,e 

Y Fx ® Px ® lo + Fx ® is ® Q 



We now upper-bound this norm. First, we rewrite 



x,6 i,9 



< K + ^i|| + \\A^ + A 



Oh 



where Aq = ^2 X F x ® P x ® \c and A\ = ^2 X F x ® lg ® are projectors. Applying Lemma 2 
twice then yields 

\\A° + A\\\ + WA® + Al\\ < 2 + JaJJaJ + JaJJaJ 



< 2 + 2max|| 1 /Ff v / ^"|| < 2 + 2Vc, 



where we used that 1 1 A® II < 1. Hence, 



2 - Hmin (x\BB) p + 2 -H min( x|ce )p = Pguess{ x\BQ) p + p guess (X|C9) p < 1 + yfa 
and, using the relation between arithmetic and geometric mean, we finally get 

2 



2 -H rnin (x\Be) p2 -H inin (x\ce) p < 



1 + Vc 



which implies the statement of the lemma after taking the logarithm on both sides. 



□ 
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Note that, for n measurements, each in a basis chosen uniformly at random, the above result 
still only guarantees one bit of uncertainty. In fact, an adaptation of the proof of Theorem 8 
yields the bound 

H min (X n \BQ n ) + H min (X n \CQ n ) > -2 log l±^- . 

This bound can be approximately achieved using a state that is maximally entangled between A 
and B with probability ^ and maximally entangled between A and C otherwise. This construc- 
tion ensures that both conditional min-entropies are low and we thus cannot expect a stronger 
result. This is in stark contrast to the situation with classical side information in (13) and the 
alternative uncertainty relation (15), where the lower bound on the uncertainty can be shown 
to scale linearly in n (cf. [46, 47]). Due to this restriction, we expect that the applicability of 
Theorem 8 to quantum cryptography is limited. 



VII. CONCLUSION 

We introduce the notion of a monogamy-of-entanglement game, and we show a general parallel 
repetition theorem. For a BB84-based example game, we actually show strong parallel repetition, 
and that a non-entangled strategy is sufficient to achieve the optimal winning probability. Our 
results have various applications to quantum cryptography. 

It remains open to understand which monogamy-of-entanglement games satisfy strong parallel 
repetition. Another open question is whether (or in what cases) a concentration theorem holds, 
which states that with high probability the fraction of won executions in a parallel repetition 
cannot be much larger than the probability of winning a single execution. 

With respect to our applications, an interesting open problem is to increase the noise level 
that can be tolerated for one-sided device-independent security of BB84. It is not clear at all 
that the rather low noise level of 1.5% we obtain in our analysis is inherent; this may very well 
be an artifact of our technique. 



Appendix A: Pure Strategies are Sufficient 

Lemma 9. In the supremum over strategies in (5), it is sufficient to consider pure strategies. 

Proof. Given any strategy S = {pABC> \Qx} f° r a garne G, we construct a pure strategy 
S = {\<p)(<p\,P%,Qx} wrtn Pwin(G,5) = Pwin(G,«S). First, it is clear that purifying pabc, with 
a purifying register that is appended to C, does not change the value of p w in(G,«S). Hence, we 
may assume that pabc is already pure: pabc = IfKfl- I n this case, p w { n (G,S) simplifies to 

p win (G, S) = J2 7^(<p\(\x 9 )(x 9 \ ® Pi ® Q e x )W) ■ 
x,e ' ' 

Let "Kx be a Hilbert space of dimension \X\ and with basis and let \ ipo) be an arbitrary, 

fixed vector in Jtx- We now set \(p) = \ <p) ® | tpo) G "Ka ® ^B <8> ® ^x as we H as P® = 
Uq(1b <S> \x)(x\)Uq, where Ug £ £(-^B ® ^x) is a Neumark dilation unitary that maps 
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for every G 'Kb- Then, P% is indeed a projection and hence P® = (PfflP®, and 8 

P e x \(p) = Ul(l B ® |x)(x|)c7 e (| |^» = Uly/P2\<p) ® |x) . 

Similarly, we define the projection ( an d extend the state | <£>)). It then follows immediately 
that p win (G,S) = p win (G,S). □ 

Appendix B: Equivalence of QKD Security Defintions 

Lemma 10. Let Pxb, Pxb £ S{"Kx ®K B ) be two CQ states with X over X. Furthermore, let 
A : X — > {0, 1} be a predicate on X, A = X(X), and let tx £ SftCx) be arbitrary. Then 

Pr[A] • A(p XB \ A , T X <8> Pb\a) < ^A(p XB , Pxb) + A(p XB \ A , r x ® Pb\a) ■ 

Proof. We set 5 := A(px B , Pxb)- From A(px B , Pxb) = S it follows in particular that the two 
distributions Px and Px are 5-close, and thus that the state 

a X B ■= Pr[A] • Pxb\a + Pr[->A] • Pxb\-^a 

is 5-close to pxb, and hence 2<5-close to pxb, where -iA is the negation of the event A. Since A 
is determined by X, we can write 

Hpxb, o-xb) = Pr[A] • A(p XB \ A , p XB \ A ) + Pr[->A] • A(p XB \^A, Pxb\^a) , 

from which it follows that Pr p [A] • A(px_B|A) Pxb\a) < 25, and, by tracing out X, also that 
Pr p [A] • A(p B \ A , Pb\a) — 2<5- We can now conclude that 

Pr[A] • A(p XB]A , T X ® p B \ A ) < 4<5 + Pr[A] • A(p XB]A , t x ® p B]A ) , 
which proves the claim. □ 
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